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ABSTRACT 1 

In 2009, four of the top ten Fortune 500 companies were classified within the oil and gas industry. Organizations of 
this size typically have an advanced Enterprise Risk Management system in place to mitigate risk and to achieve 
their corporations' objectives. The companies and the article utilize the Enterprise Risk Management Integrated 
Framew ork de\'eloped by the Committee of Sponsoring Organizations (COSO) as a guide to organize their risk 
management and reporting. The authors used the framew ork to analyze reporting years 2009 and 2010 for Fortune 
500 oil and gas companies. After gathering and examining information from 2009 and 2010 annual reports, 10-K 
filings, and proxy statements, the article examines how the selected companies are implementing requirements 
identified in the previously mentioned publications. 

Each section examines the companies ’ Enterprise Risk Management system, risk appetite, and any other notable 
information regarding risk management. One observation was the existence or non-existence of a Chief Risk Officer 
or other Senior Level Manager in charge of risk management. Other observations included identified risks, such as 
changes in economic, regulatory', and political environments in the different countries where the corporations do 
business. Still others identify' risks, such as increases in certain costs that exceed natural inflation, volatility' and 
instability' of market conditions. Fortune 500 oil and gas companies included in this analysis are ExxonMobil 
Chevron, ConocoPhillips, Baker Hughes, Valero Energy', and Frontier Oil Corporation. 

An analysis revealed a sophisticated understanding and reporting of many' types of risks, including those associated 
with increasing production capacity. Specific risks identified by companies included start-up timing, operational 
outages, weather events, regulatory' changes, geo-political and cy ber security risks, among others. Mitigation 
efforts included portfolio management and financial strength. There is evidence that companies in later reports 
(2013) are more comprehensive in their risk management and reports as evidenced by their 10-K and Proxy 
Statements (Marathon Oil Corporation, 2013). 
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INTRODUCTION 


Enterprise Risk Management 


mplementing and using Enterprise Risk Management is a necessary and growing activity in today's 
yU unstable economy. The Committee of Sponsoring Organizations defines Enterprise Risk Management 

__ S as a process affected by an entity's board of directors, management and other personnel; this process is 

applied within a corporation, designed to identify potential events which may affect the entity, and manage risks to 
be within its risk appetite. In addition, Enterprise Risk Management is a process that provides reasonable assurance 


1 This manuscript was original published in the American Journal of Business Education 6(6). Due to high download rates this manuscript has 
been reprmted. 
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regarding the achievement of the entity’s objectives. Companies can identify, assess, respond, and monitor the 
outcomes of the corporation’s leading risk factors with an Enterprise Risk Management system in place. 

This article uses the framework from the “Report on the Current State of Enterprise Risk Oversight'’ published by 
the AICPA Business. Industry. & Government Team and the “Enterprise Risk Management Initiative” at North 
Carolina State University to analyze reporting years 2009 and 2010 for selected Fortune 500 oil and gas companies. 
After gathering and examining information from 2009 and 2010 annual reports. 10-K filings, and proxy statements, 
the article examines how the selected companies are implementing requirements identified in the previously 
mentioned publications. Fortune 500 oil and gas companies included in this analysis are ExxonMobil, Chevron, 
ConocoPhillips, Baker Hughes, Valero Energy, and Frontier Oil Corporation. 

The Companies 

ExxonMobil 

In 2009, ExxonMobil dominated the Fortune 500 list as the largest company in America with their sales reaching as 
high as S275.56 billion and gross income of S75.79 billion. In 2010, sales soared to a remarkable S341.58 billion 
and gross income rose to $90.92 billion. Moreover, ExxonMobil is a well-established corporation within the oil and 
gas industry. ExxonMobil's executives expanded on the corporation's long-standing risk management system. 
ExxonMobil's risk management system encourages a risk-averse philosophy to govern the corporation's business 
decisions; additionally, this risk/reward ideology discourages executives from taking inappropriate risks. The risk 
management section of ExxonMobil's annual statement identities the leading areas of risk and the actions taken by 
the corporation to mitigate these risks. 

ExxonMobil utilizes the risk management section of the 2010 annual statement to itemize a few of the major risks 
associated with increasing the corporation’s production capacity. For instance, these production quantity increases 
are subject to an assortment of risks, including project start-up timing, operational outages, reservoir performance, 
crude oil and natural gas prices, weather events, and regulatory changes. In addition, ExxonMobil's volume of cash 
flow depends greatly on crude oil and natural gas prices. To maintain the trust and support of investors, 
ExxonMobil details the manner in which they mitigate the risks listed above. As addressed in ExxonMobil’s 2009 
Annual Statement (report), ‘ The Corporation has a large and diverse portfolio of development projects and 
exploration opportunities, which helps mitigate the overall political and technical risks of the Corporation's 
upstream segment and associated cash flow. " Furthermore, the risk due to failure or delay of an individual project 
is mitigated by the corporation's financial strength, debt capacity, and well diversified portfolio. As the coiporation 
continues to mitigate political and technical risks, ExxonMobil focuses on maximizing shareholder value. After 
evaluating the factors associated with ExxonMobil's risk management system, it is appropriate to conclude the 
corporation has constructed a well-developed system of mitigating risk; moreover, this system is based on a risk- 
averse philosophy. Despite the well thought-out risk management system. ExxonMobil’s 2009 Annual Report fails 
to mention the position of a Chief Risk Officer. The assessment of ExxonMobil's Enterprise Risk Management 
system leads to the conclusion that the risk-adverse approach has been quite successful: however, developing the 
position of Chief Risk Officer would improve the management of the overall system. It is probable that duties of a 
Chief Risk Officer are handled by someone and their team housed within the upper echelon of management. Albeit, 
appropriate reference to such person and team, should be reported. 

Other publications that discuss risks include The Lamp and ExxonMobil 2011 Corporate Citizenship Report, which 
is published bi-annually and includes climate changes, environmental challenges, math and science projects, etc. 
The Lamp is published for ExxonMobil's shareholders. The latest issue of The Lamp included partnerships with the 
National Oil Company of Columbia, an article on Canadian shale and an article on Angola Block 15. The Angola 
site employs 78% Angolans. A chart of risks, mitigation methods, and mitigation method/control effectiveness is 
presented at the end of this article for all companies. 
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Chevron 

In 2009. Chevron ranked third among the Fortune 500 corporations, with revenue soaring as high as S263 billion, 
leaving many of their competitors in their wake. Chevron has proven to be a successful corporation within the oil 
and gas industry. While dominating the market. Chevron has implemented one of the most impressive and 
comprehensive Enterprise Risk Management (ERM) systems as evidenced by their continuing identification, 
assessment, and response to risks. Chevron utilizes the annual statements to inform current and potential 
shareholders of the possible risks involved in the oil and gas industry. In particular. Chevron identified potential 
risks surrounding the volatility of crude oil prices, infrequent events or transactions, changing economic conditions, 
varying regulation and political risk within affiliated countries, and some increases in certain costs which exceed the 
natural inflation rate. To reassure investors on Chevron's ability to provide adequate responses to these risks. 
Chevron continually evaluates its' risk, opportunities, and closely monitors developments. After reviewing 
Chevron's risk factors, it is reasonable to conclude that Chevron's Enterprise Risk Management system is among the 
most developed and complex systems out of the six oil and gas companies reviewed. 

Although Chevron has an advanced risk management system, they did not mention the position of Chief Risk 
Officer. The extensive list of risk factors led the authors to conclude that Chevron is strongly risk-averse. 
Additionally, the company's investment endeavors are influenced by Chevron's risk tolerance level. After 
reviewing Chevron's 2010 Proxy' Statement, the section regarding the oversight of risk addresses who is responsible 
for risk assessment and management. Specifically, the 2010 Proxy Statement specifies that oversight responsibility 
falls upon the Audit Committee to assist the Board in monitoring Chevron's risk exposure while also developing 
guidelines and policies to govern processes for managing risks. The Committee discusses Chevron’s policies with 
respect to risk assessment and risk management. As such, Chevron has a well-developed and documented 
Enterprise Risk Management system. 

ConocoPhillips 

In 2009, ConocoPhillips moved ahead of General Motors to claim fourth spot among the Fortune 500 companies. 
At this time, the corporation earned SI49.34 billion in gross sales and SS.91 billion in net income. In 2010, these 
figures increased to S1S9.44 billion and SI 1.36 billion, respectively. ConocoPhillips’ success is not limited to the 
oil and gas industry. Their 2009 Annual Report mentions the company's claims to possess a high expertise in risk 
assessment: this is demonstrated in their exploration strategy into the frontier basins. ConocoPhillips seeks to 
engage the use of frontier basins by securing attractive positions that balance risk and cost. This leads to the 
consideration that ConocoPhillips has a risk-neutral appetite within their day-to-day procedures and risk 
management process. 

Throughout the annual report, ConocoPhillips uses the key words safe and reliable ; moreover, the report mentions 
that ConocoPhillips always uses a disciplined approach when conducting business. The following statement from 
the 2009 Annual Report was taken into consideration when considering the company's risk appetite: “With robust 
captured opportunities on hand, we are not pursuing new areas that cannot be competed favorably.” In capturing 
such robust opportunities, ConocoPhillips is portrayed to be risk-neutral. 

The 2009 and 2010 Annual Reports do not mention the position of a Chief Risk Officer or other Senior Level 
Manager. However, in the reading, it is obvious that ConocoPhillips has a respectable and thorough process for 
managing risks. After reviewing ConocoPhillips' 2010 Proxy' Statement regarding risk oversight, responsibility' is 
assigned to ConocoPhillips' Management. In addition, the Board of Directors has oversight responsibility for Risk 
Management programs. In this role, the Board of Directors' reviews and designs implementation of the risk 
management processes, assuring they are functioning as intended. Delegation occurs to individual Board 
committees, such as the Audit and Finance Committee. Additionally, the Audit and Finance Committee routinely 
discusses the corporation's risk assessment and risk management policies to verify that the programs are operating 
as they were designed. Furthermore, the Chairman of the Audit and Finance Committee conducts an annual meeting 
where the Chairs of each Board committee gather to discuss the functionality* of the current risk management 
programs. Moreover, within the course of the year, the Board of Directors receives regular updates from the 
respective Board committees identifying individual areas of concern. All said, the systems appear comprehensive. 
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Valero Energy' 

In 2009. Valero Energy ranked tenth on the Fortune 500 list, following Hewlett-Packard, with S64.60 billion in 
revenue and a negative S273.00 million in net income. In 2010. Valero’s financial position changed drastically, 
producing revenue of S82.23 billion and increasing the company's net income to a positive S923.00 million. Valero 
is a highly competitive oil and gas company within the industry. Surprisingly. Valero’s 2009 Annual Report 
contains no reference to the implementation of a risk management process. Throughout the 2009 Annual Report. 
Valero stressed the importance of taking aggressive steps to combat future challenges, while growing more 
competitive among the oil and gas industry. 

During 2009, Valero took advantage of the opportunity to invest in alternative energy. Specifically, Valero entered 
the ethanol business in 2009 by acquiring seven ethanol plants in the Midwest. This acquisition, along with the 
purchase of three additional ethanol plants during 2009, proved to be quite beneficial to the corporation, increasing 
the capacity' by 1.1 billion gallons per year. This causes Valero to be one of the largest producers of ethanol in the 
country. Valero’s ability to recognize the opportunity- to invest in alternative energy was promising to the 
coiporation’s future success; this is also a statement on the company's level of tolerable risk. In the 2009 Annual 
Report , Valero released a statement mentioning every investment, every action, must be directly and efficiently tied 
to the achievement of the company' ’s vision. This senes as evidence of the use of a risk management process to base 
the corporation's decisions. However, even though Valero had a seemingly advanced process to manage risk, 
evidence of a Chief Risk Officer was non-existent. 

Valero dropped from the tenth to the twenty-sixth spot in the 2010 Fortune 500 list. The 2010 Proxy Statement 
contains a section regarding risk management and the Board's responsibility- toward risk management. These 
responsibilities include receiving reports from members of senior management on areas of material risk. These 
reports are used to enable the Board to understand and manage Valero's risk identification, management, and 
mitigation strategies. Afterward, the chairperson of each Committee reports on the matters to the Board. The Board 
also believes risk management is an integral part of Valero* s annual strategic planning process. Valero's Chief 
Audit Officer annually prepares a comprehensive risk assessment report, which is reviewed by the Audit committee. 
Furthermore, this report identifies Valero’s material business risks and internal controls that respond to and mitigate 
those risks. 

Baker Hughes, Inc. 

In 2009, Baker Hughes Inc. was number 227 on the Fortune 500 list, with revenue of S9.66 billion and net income 
of S0.42 billion. In 2010, Baker Hughes moved to number 243 on the Fortune 500 list, sales rose to $14.41 billion 
and net income increased to $0.81 billion. In contrast to the aforementioned companies, Baker Hughes resides 
within the oil well sendees and equipment industry. The 2009 Annual Report includes a lengthy section devoted 
entirely to identifying the corporation's material risks. This section also details the effect of the risk on Baker 
Hughes and specifies what steps are being taken to combat these risks. Baker Hughes material risks include 
volatility- of oil and natural gas prices, factors affecting demand for oil and natural gas, seasonal and adverse weather 
conditions, a highly competitive market, geopolitical risks, and terrorism risks. However, Baker Hughes' impressive 
risk management process failed to identify- a Senior Level Manager devoted to leading this process. Furthermore, 
Baker Hughes did not mention what part of the company was responsible for managing risk. 

Baker Hughes' risk appetite is supported by the company's competitive decision-making process within the market. 
The Corporation retains their position in the highly competitive market by creating value for their customers through 
developing new and reliable products and sendees. Baker Hughes decided to take on a greater level of risk when 
searching for potential growth areas within the operating segment: this plan was implemented to assist the 
corporation in excelling in an active and competitive market. The company's philosophy is that with big risk comes 
big reward; in this case, reward references the company's ability to remain competitive in a highly aggressive 
market. Baker Hughes* risk management system can affect the company's financial position. However, with such a 
mature Enterprise Risk Management system in place. Baker Hughes is able to undertake a greater level of risk 
compared to other companies who may have poorly assessed their risks. In conclusion, it appears that Baker 
Hughes' decisions are based on a risk-seeking appetite. The 2010 Proxy Statement does not explore the risk 
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management system; however. 2010 Annual Report details oversight risk analysis and risk management procedures. 
The responsibility of reviewing the guidelines and policies on Enterprise Risk Management falls upon the Audit and 
Ethics Committee, including risk assessment and risk management related to the company's major financial risk 
exposures and the steps management has taken to monitor and mitigate such exposures. The Chief Compliance 
Officer provides a report to the committee, including updates pertaining to the status of the company's compliance 
with its standards, policies, procedures, and processes. Baker Hughes maintains an Enterprise Risk Management 
process which reviews the business's risk framework, including an assessment of external risk, internal risks, and 
appropriate mitigation activities. An annual Enterprise Risk Management report is presented to the Audit and Ethics 
Committee and a presentation is made to the entire Board. In conclusion, the Board of Directors believes that the 
risk management processes in place for Baker Hughes are appropriate. 

Frontier Oil Corporation 

In 2009, Frontier Oil Corporation ranked number 383 on the Fortune 500 list, with S6.50 billion in revenue and 
S80.20 million in net income. In 2010, Frontier Oil Corporation dropped over 100 spots on the Fortune 500 list to 
number 488, with S4.23 billion in revenue and a negative S83.80 million in net income. Frontier resides within the 
petroleum refining industry, although the company is substantially smaller than the competition included in this 
study. Frontier dedicated the first section of the 2009 Annual Report to identifying related risks. The list of 
potential material risk factors includes fluctuating crude oil prices, instability and volatility of the market, demand 
fluctuations, competition with other refming companies, terrorist attacks, and threats. The fact that Frontier has a 
section in the annual report dedicated specifically to risks is a promising attribute among a small scaled company; 
the first step to producing a well-developed Enterprise Risk Management system is to identify the company's major 
risk areas. 

Throughout the 2009 Annual Report, the shareholders are informed of what risks are present and how these risks 
directly affect Frontier, although no plan is mentioned to combat these specific risks. The 2010 Proxy Statement 
failed to identify a Chief Executive Officer; however, the statement did contain a section detailing the 
responsibilities of the Board regarding risk management. The Board and committees oversee Frontier’s primary 
risks - financial, operating, liquidity, environmental, health, and safety, as well as the strategic direction of the 
company. Specifically, the Audit Committee monitors the work performed by internal audits in such areas as 
hedging inventory positions and reviewing the risk policies followed in purchasing crude oil and other feed stocks. 
As such, Frontier Oil Corporation is similar in risk management organization as others included in this investigation. 

SUMMARY 

Table 1 summarizes company-identified and reported risks extracted from annual reports, 10-K's. 8-K's, and Proxy 
Statements. Additionally, related methods of mitigation and mitigation effectiveness are assigned by the reporters 
and. in some cases, the authors. Mitigation methods, including “Large and Diverse Portfolio" and “Financial 
Strength”, were used repetitively by companies. All analyzed companies were financially strong, thus yielding a 
High rating on mitigation effectiveness. Additionally, all were large and diverse in their portfolio. When referring 
to “Large and Diverse Portfolio", most often, this was an indication of diversity/portfolio richness to include on¬ 
shore and off-shore, well depth, deposits of both oil and gas, quality of reserves owned, geographical location, and 
exploration into frontier basins and emerging energy markets. Thus, diversity also referred to drilling technology 
and research and development of such. All companies were strong in application of their mission. Thus, they used 
their money and efforts in accomplishing the mission of “Oil and Gas Exploration and Production". The term Oil 
and Gas Exploration and Production, in some cases, is replaced with “Energy". 
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Table 1 . Risk Summary Chart 


Risks - Operating. Financial. Strategic 

Method of Mitigation 

Control/Mitigation Effectiveness 

Start-up Timing 

Scheduling 

High 


Large and Diverse Portfolio 

Moderate 


Financial Strength 

Moderate 

Operational Outages 

Scheduling 

High 


Maintenance 

High 


Back-up systems 

High 


Disaster Recovery system 

High 


Large and Diverse Portfolio 

High 


Financial Strength 

High 

Reservoir Performance 

Research and Development 

High 


Implement new technology 

High 


Accuracy of Engineering Estimates 

High 


Large and Diverse Portfolio 

High 


Financial Strength 

High 

Exploration Risk 

Exploration strategy into frontier 



basins Diverse Portfolio and 

Financial Strength 

High 

Volatility of Crude Oil and Natural Gas Prices 

Location Diversification 

Low 


Energy Type Diversification 

High 


Large and Diverse Portfolio 

High 


Financial Strength 

High 

Weather Events 

Location Diversification 

Low 


New Technology 

High 


Safety 

High 


Large and Diverse Portfolio 

High 


Financial Strength 

High 

Regulatory Changes 

Lobby Efforts 

High 


Environmental Practices 

High 


Ethical Practices 

High 


Corporate Citizenship 

High 


Large and Diverse Portfolio 

High 


Financial Strength 

High 

Political Risks 

Corporate Governance 

High 


Large and Diverse Portfolio 

High 


Financial Strength 

High 

Technical Risks 

Technology Advancement 

Medium 


Large and Diverse Portfolio 

High 


Financial Strength 

High 

Geo Political Risks 

Geographical Diversification 

High 


Corporate Citizenship 

High 


World-wide Partnerships 

High 


Large and Diverse Portfolio 

High 


Financial Strength 

High 

Cyber Security Risks 

Cyber Infrastructure 

High 


BYOD (Bring your Own Device) 

High 


Management 

High 


Cloud Management 

High 


Large and Diverse Portfolio 

Financial Strength 

High 

Infrequent Events Transactions Risk 

Large and Diverse Portfolio 

High 


Financial Strength 

High 

Changing Macroeconomic Conditions Risk 

Large and Diverse Portfolio 

Moderate 


Financial Strength 

Moderate 

Inflation Currency Valuation Risk 

Hedging 

Moderate 


Large and Diverse Portfolio 

Moderate 


Financial Strength 

Moderate 
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Table 2 summarizes company-reported assignment of a “Chief Risk Officer"' and author assignment of “Level of 
Risk Appetite/Tolerance"’, along with “Fortune 500 Ranking"'. While several industries have taken steps to 
implement the role of Chief Risk Officer, the oil and gas companies analyzed used Management/Board/and 
members of the Audit committee to handle such tasks. 

Industries that have taken steps to implement a Chief Risk Officer include banking, insurance, and other financial 
sendees industries, specifically financial institutions when dealing with the credit crisis that may have been caused 
by ineffective assessments of customer’s rate of risk tolerance. Others include health care, retail, and real estate. 
The position of Chief Risk Officer grows more prominent in businesses as the regulations regarding risk 
management increase. For instance, two recent regulations include the Sarbanes Oxley Act and the Security 
Exchange Commissions' requirement to include an assessment of risk in the yearly proxy statement. 


Table 2. Summary of Risk Appetite Rankings 



Chief Risk Officer 

Level Of Risk Appetite/Tolerance 

Fortune 500 Ranking 


2009 

2010 

2009 

2010 

2009 

2010 

ExxonMobil 

N/A 

N/A 

Risk Averse 

Risk Averse 

1 


Chevron 

N/A 

N/A 

Risk Averse 

Risk Averse 

3 

3 

ConocoPhillips 

N/A 

N/A 

Risk Moderate 

Risk Moderate 

4 

6 

Valero Energy 

N/A 

N/A 

Risk Moderate 

Risk Moderate 

10 

26 

Baker Hughes 

N/A 

N/A 

Risk Moderate 

Risk Moderate 

227 

243 

Frontier Oil Corporation 

N/A 

N/A 

Risk Moderate 

Risk Moderate 

383 

4S8 


CONCLUSION 

At the end of 2009, the U.S. Securities and Exchange Commission began requiring all “U.S. publicly-traded 
companies to include in their annual proxy statements information about the Board's involvement in risk oversight.” 
Ideally, the SEC's reporting requirement will require the oil and gas industry to further develop its' Enterprise Risk 
Management systems. In conclusion, companies ranking higher on the Fortune 500 list appeared to have more 
mature and developed approaches to implementing Enterprise Risk Management systems. 

In addition, several industries have taken steps to implement the role of Chief Risk Officer. A few examples include 
banking, insurance, and other financial serv ices industries. Oil and gas companies place such responsibilities 
squarely on the Audit committee and its infrastructure. Some industries have adopted the position of Chief Risk 
Officer, including health care, retail, and real estate. The position of Chief Risk Officer grows more prominent in 
businesses as the regulations regarding risk management increase. 

In conclusion, all six corporations followed the Securities and Exchange Commission reporting requirements which 
were implemented at the close of 2009. Furthermore, each company’s 2010 Proxy Statement included a section 
detailing information about the Board's involvement in the risk oversight process. Moreover, many of the 2010 
Proxy Statements broke down the Board's risk oversight responsibility among the committees and explained the 
process of identifying, assessing, mitigating, and reporting on the corporation’s risks. 
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